内容安全策略 'unsafe-inline' 是否已弃用?
is Content Security Policy 'unsafe-inline' deprecated?
我正在开发 Chrome 扩展,我尝试根据 Google Docs
添加 'unsafe-inline' CSP
然而,这样做并尝试在 chrome://extensions/ 重新加载我的扩展后,我得到:
There were warnings when trying to install this extension:
Ignored insecure CSP value "'unsafe-inline'" in directive 'script-src'.
参考 manifest.json 中定义的整个 CSF:
"content_security_policy": "script-src 'self' 'unsafe-inline' https://localhost:8000; object-src 'self'"
那么,为什么我无法设置 'unsafe-inline'?
它没有被弃用,它在网络上完全没问题。
但是,在扩展中根本不允许将其作为一种安全措施(坦率地说,是良好做法的实施)。
Documentation 解释了您可以使用 CSP 做什么和不能做什么。
Up until Chrome 45, there was no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes 'unsafe-inline' will have no effect.
As of Chrome 46, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. This hash must be prefixed by the used hash algorithm (sha256, sha384 or sha512). See Hash usage for elements for an example.
不要使用内联脚本 - 不需要。相同的文档将展示如何处理它。
我正在开发 Chrome 扩展,我尝试根据 Google Docs
添加 'unsafe-inline' CSP然而,这样做并尝试在 chrome://extensions/ 重新加载我的扩展后,我得到:
There were warnings when trying to install this extension:
Ignored insecure CSP value "'unsafe-inline'" in directive 'script-src'.
参考 manifest.json 中定义的整个 CSF:
"content_security_policy": "script-src 'self' 'unsafe-inline' https://localhost:8000; object-src 'self'"
那么,为什么我无法设置 'unsafe-inline'?
它没有被弃用,它在网络上完全没问题。
但是,在扩展中根本不允许将其作为一种安全措施(坦率地说,是良好做法的实施)。
Documentation 解释了您可以使用 CSP 做什么和不能做什么。
Up until Chrome 45, there was no mechanism for relaxing the restriction against executing inline JavaScript. In particular, setting a script policy that includes 'unsafe-inline' will have no effect.
As of Chrome 46, inline scripts can be whitelisted by specifying the base64-encoded hash of the source code in the policy. This hash must be prefixed by the used hash algorithm (sha256, sha384 or sha512). See Hash usage for elements for an example.
不要使用内联脚本 - 不需要。相同的文档将展示如何处理它。